Saturday, 15 August 2015

Java/Spring UnrecoverableKeyException with SSL -



Java/Spring UnrecoverableKeyException with SSL -

please note: although specific question involves ldaptive library, believe purely java keytool/ssl/spring question @ heart.

i using ldaptive on java (spring) app server authenticating users against ldap/ad server. when deploy war tomcat , start up, next exception:

(large stack trace above this, below root exception) ... 70 more caused by: java.security.unrecoverablekeyexception: requested entry requires password @ java.security.keystorespi.enginegetentry(keystorespi.java:459) @ java.security.keystore.getentry(keystore.java:1290) @ org.ldaptive.ssl.keystoreutils.getentry(keystoreutils.java:129) @ org.ldaptive.ssl.keystoresslcontextinitializer.createtrustmanagers(keystoresslcontextinitializer.java:116) @ org.ldaptive.ssl.abstractsslcontextinitializer.gettrustmanagers(abstractsslcontextinitializer.java:41) @ org.ldaptive.ssl.abstractsslcontextinitializer.initsslcontext(abstractsslcontextinitializer.java:84) @ org.ldaptive.ssl.tlssocketfactory.initialize(tlssocketfactory.java:68) @ org.ldaptive.provider.jndi.jndiprovider.getjndistarttlsconnectionfactory(jndiprovider.java:162) ... 83 more

the error coming spring bean:

<bean id="sslconfig" class="org.ldaptive.ssl.sslconfig"> <property name="credentialconfig"> <bean class="org.ldaptive.ssl.keystorecredentialconfig" p:keystore="file:/etc/myapp/keys.jks" p:keystorepassword="password" p:keystoretype="jks" p:keystorealiases="kw-dj93d3j9-29kd-dj9k-dkow-dk3jd93jsjs8" /> </property> </bean>

as can see, i'm telling ldaptive on local file system, under /etc/myapp, find java keystore called keys.jks. in keystore key named "kw-dj93d3j9-29kd-dj9k-dkow-dk3jd93jsjs8".

when utilize keytool inspect key:

cd /etc/myapp keytool -list -keystore keys.jks come in keystore password: password keystore type: jks keystore provider: sun keystore contains 1 entry kw-dj93d3j9-29kd-dj9k-dkow-dk3jd93jsjs8, may 1, 2014, privatekeyentry, certificate fingerprint (sha1): <long hexidecimal strings here...>

it worth mentioning not self-signed cert. cert reputable ca.

so know key located in keystore. however, seem remember when added key jks (several months ago), the key had password on it (that set "password"). i've tried mucking around keytool see if can inquire me key's/alias's individual password (instead of store-wide password) , can't reproduce this, nutrient thought. if had guess, keystorepassword field in spring bean correct, key requires password, , ldaptive isn't taking account...

in event, ideas why i'm seeing exception? , if correct, , can't alter ldaptive's source code, options? there keytool commands can utilize drop individual key's password, , take store-wide one?

the stacktrace doesn't appear match configuration posted. specifically:

at org.ldaptive.ssl.keystoresslcontextinitializer.createtrustmanagers(keystoresslcontextinitializer.java:116) @ org.ldaptive.ssl.abstractsslcontextinitializer.gettrustmanagers(abstractsslcontextinitializer.java:41)

is configuring trust managers, not key managers. expect exception come config:

<bean class="org.ldaptive.ssl.keystorecredentialconfig" p:truststore="file:/etc/myapp/keys.jks" p:truststorepassword="password" p:truststoretype="jks" p:truststorealiases="kw-dj93d3j9-29kd-dj9k-dkow-dk3jd93jsjs8" />

nevertheless, if you've found bug please file issue here.

java spring ssl keytool

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)